feat: project roles (#843)

* fix logging * token verification * feat: assert roles * feat: add project role assertion on project and token type on app * id and access token role assertion * add project role check * user grant required step in login * update library * fix merge * fix merge * fix merge * update oidc library * fix tests * add tests for GrantRequiredStep * add missing field ProjectRoleCheck on project view model * fix project create * fix project create
2025-08-12 03:37:34 +00:00 · 2020-10-16 07:49:38 +02:00
parent f5a7a0a09f
commit a321d850ae
57 changed files with 10894 additions and 18297 deletions
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -2,26 +2,31 @@ package model

 import (
 	"encoding/json"
+	"reflect"
+
 	"github.com/caos/logging"
+
 	"github.com/caos/zitadel/internal/crypto"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/project/model"
-	"reflect"
 )

 type OIDCConfig struct {
 	es_models.ObjectRoot
-	Version                int32               `json:"oidcVersion,omitempty"`
-	AppID                  string              `json:"appId"`
-	ClientID               string              `json:"clientId,omitempty"`
-	ClientSecret           *crypto.CryptoValue `json:"clientSecret,omitempty"`
-	RedirectUris           []string            `json:"redirectUris,omitempty"`
-	ResponseTypes          []int32             `json:"responseTypes,omitempty"`
-	GrantTypes             []int32             `json:"grantTypes,omitempty"`
-	ApplicationType        int32               `json:"applicationType,omitempty"`
-	AuthMethodType         int32               `json:"authMethodType,omitempty"`
-	PostLogoutRedirectUris []string            `json:"postLogoutRedirectUris,omitempty"`
-	DevMode                bool                `json:"devMode,omitempty"`
+	Version                  int32               `json:"oidcVersion,omitempty"`
+	AppID                    string              `json:"appId"`
+	ClientID                 string              `json:"clientId,omitempty"`
+	ClientSecret             *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	RedirectUris             []string            `json:"redirectUris,omitempty"`
+	ResponseTypes            []int32             `json:"responseTypes,omitempty"`
+	GrantTypes               []int32             `json:"grantTypes,omitempty"`
+	ApplicationType          int32               `json:"applicationType,omitempty"`
+	AuthMethodType           int32               `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   []string            `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  bool                `json:"devMode,omitempty"`
+	AccessTokenType          int32               `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion bool                `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     bool                `json:"idTokenRoleAssertion,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -51,6 +56,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.DevMode != changed.DevMode {
 		changes["devMode"] = changed.DevMode
 	}
+	if c.AccessTokenType != changed.AccessTokenType {
+		changes["accessTokenType"] = changed.AccessTokenType
+	}
+	if c.AccessTokenRoleAssertion != changed.AccessTokenRoleAssertion {
+		changes["accessTokenRoleAssertion"] = changed.AccessTokenRoleAssertion
+	}
+	if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
+		changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
+	}
 	return changes
 }

@@ -64,18 +78,21 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		grantTypes[i] = int32(rt)
 	}
 	return &OIDCConfig{
-		ObjectRoot:             config.ObjectRoot,
-		AppID:                  config.AppID,
-		Version:                int32(config.OIDCVersion),
-		ClientID:               config.ClientID,
-		ClientSecret:           config.ClientSecret,
-		RedirectUris:           config.RedirectUris,
-		ResponseTypes:          responseTypes,
-		GrantTypes:             grantTypes,
-		ApplicationType:        int32(config.ApplicationType),
-		AuthMethodType:         int32(config.AuthMethodType),
-		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
-		DevMode:                config.DevMode,
+		ObjectRoot:               config.ObjectRoot,
+		AppID:                    config.AppID,
+		Version:                  int32(config.OIDCVersion),
+		ClientID:                 config.ClientID,
+		ClientSecret:             config.ClientSecret,
+		RedirectUris:             config.RedirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          int32(config.ApplicationType),
+		AuthMethodType:           int32(config.AuthMethodType),
+		PostLogoutRedirectUris:   config.PostLogoutRedirectUris,
+		DevMode:                  config.DevMode,
+		AccessTokenType:          int32(config.AccessTokenType),
+		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
 	}
 }

@@ -89,18 +106,21 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		grantTypes[i] = model.OIDCGrantType(rt)
 	}
 	oidcConfig := &model.OIDCConfig{
-		ObjectRoot:             config.ObjectRoot,
-		AppID:                  config.AppID,
-		OIDCVersion:            model.OIDCVersion(config.Version),
-		ClientID:               config.ClientID,
-		ClientSecret:           config.ClientSecret,
-		RedirectUris:           config.RedirectUris,
-		ResponseTypes:          responseTypes,
-		GrantTypes:             grantTypes,
-		ApplicationType:        model.OIDCApplicationType(config.ApplicationType),
-		AuthMethodType:         model.OIDCAuthMethodType(config.AuthMethodType),
-		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
-		DevMode:                config.DevMode,
+		ObjectRoot:               config.ObjectRoot,
+		AppID:                    config.AppID,
+		OIDCVersion:              model.OIDCVersion(config.Version),
+		ClientID:                 config.ClientID,
+		ClientSecret:             config.ClientSecret,
+		RedirectUris:             config.RedirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          model.OIDCApplicationType(config.ApplicationType),
+		AuthMethodType:           model.OIDCAuthMethodType(config.AuthMethodType),
+		PostLogoutRedirectUris:   config.PostLogoutRedirectUris,
+		DevMode:                  config.DevMode,
+		AccessTokenType:          model.OIDCTokenType(config.AccessTokenType),
+		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
 	}
 	oidcConfig.FillCompliance()
 	return oidcConfig
--- a/internal/project/repository/eventsourcing/model/project.go
+++ b/internal/project/repository/eventsourcing/model/project.go
@@ -2,7 +2,9 @@ package model

 import (
 	"encoding/json"
+
 	"github.com/caos/logging"
+
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/project/model"
 )
@@ -13,12 +15,14 @@ const (

 type Project struct {
 	es_models.ObjectRoot
-	Name         string           `json:"name,omitempty"`
-	State        int32            `json:"-"`
-	Members      []*ProjectMember `json:"-"`
-	Roles        []*ProjectRole   `json:"-"`
-	Applications []*Application   `json:"-"`
-	Grants       []*ProjectGrant  `json:"-"`
+	Name                 string           `json:"name,omitempty"`
+	ProjectRoleAssertion bool             `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     bool             `json:"projectRoleCheck,omitempty"`
+	State                int32            `json:"-"`
+	Members              []*ProjectMember `json:"-"`
+	Roles                []*ProjectRole   `json:"-"`
+	Applications         []*Application   `json:"-"`
+	Grants               []*ProjectGrant  `json:"-"`
 }

 func GetProject(projects []*Project, id string) (int, *Project) {
@@ -35,6 +39,12 @@ func (p *Project) Changes(changed *Project) map[string]interface{} {
 	if changed.Name != "" && p.Name != changed.Name {
 		changes["name"] = changed.Name
 	}
+	if p.ProjectRoleAssertion != changed.ProjectRoleAssertion {
+		changes["projectRoleAssertion"] = changed.ProjectRoleAssertion
+	}
+	if p.ProjectRoleCheck != changed.ProjectRoleCheck {
+		changes["projectRoleCheck"] = changed.ProjectRoleCheck
+	}
 	return changes
 }

@@ -44,13 +54,15 @@ func ProjectFromModel(project *model.Project) *Project {
 	apps := AppsFromModel(project.Applications)
 	grants := GrantsFromModel(project.Grants)
 	return &Project{
-		ObjectRoot:   project.ObjectRoot,
-		Name:         project.Name,
-		State:        int32(project.State),
-		Members:      members,
-		Roles:        roles,
-		Applications: apps,
-		Grants:       grants,
+		ObjectRoot:           project.ObjectRoot,
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+		State:                int32(project.State),
+		Members:              members,
+		Roles:                roles,
+		Applications:         apps,
+		Grants:               grants,
 	}
 }

@@ -60,13 +72,15 @@ func ProjectToModel(project *Project) *model.Project {
 	apps := AppsToModel(project.Applications)
 	grants := GrantsToModel(project.Grants)
 	return &model.Project{
-		ObjectRoot:   project.ObjectRoot,
-		Name:         project.Name,
-		State:        model.ProjectState(project.State),
-		Members:      members,
-		Roles:        roles,
-		Applications: apps,
-		Grants:       grants,
+		ObjectRoot:           project.ObjectRoot,
+		Name:                 project.Name,
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+		State:                model.ProjectState(project.State),
+		Members:              members,
+		Roles:                roles,
+		Applications:         apps,
+		Grants:               grants,
 	}
 }